Informative

Common wisdom dictates that security should be a top priority for every organization. Considering the constant discovery of new threats and attack strategies, it has to be, if businesses have any intention of keeping their systems, data, and employees, and customers safe. Indeed, over the past several years, corporate leadership have consistently identified security as the top – or at least one of the top – priorities. It’s a good thing they have – here are some of the things they can expect to see in the second half of this year and into 2019.

According to reports, DDoS attacks increased significantly in 2017, and continue to evolve. Attackers have also been known to target businesses multiple times – especially those where they have been successful in the past, with any number of motivating factors, including revenge, blackmail, activism, politics, or to provide a distraction for more malicious hacking. While last year gave businesses a bit of a reprieve from large-scale DDoS attacks, they appear to back in full force this year, including two of the largest in history – one measuring 1.35 Tbps, and the second 1.7 Tbps.

Smaller scale attacks, however, are still prevalent and can be used to circumvent endpoint security and countermeasures. They are often used for scouting and reconnaissance to identify weaknesses in networks, leveraging many different attack vectors for a prolonged period to gather information.

Security teams should also expect to see more IPv6 attacks, especially as more businesses adopt IPv6. It will quickly become a new attack vector cyber criminals will look to exploit before any security flaws are fixed. Also expect an increase in application layer attacks, which can be difficult to detect because they often mimic real requests. But, when they are identified, businesses should be wary – Layer 7 attacks are often part of larger network sieges.

Of course, there’s ransomware, which continues to be a significant concern for business leaders, with a staggering annual growth rate of 350% according to Cisco. Why? In many ways, it’s an ideal tool for attackers:

Easy targeting of individuals and businesses;

Requires little investment;

Monetization is part of the attack itself – there is no need for additional effort; and

Ransom scales with the number of infected devices.

Ransomware, in fact, has become a big enough global issue that the World Economic Forum has made it a global security issue on its agenda, accounting for 64% of all malicious emails last year.

And of course, botnets will also continue to spread, largely because they have become part of a Hacking-as-a-Service mechanism, where botnets can be acquired for a fee to execute any activity desired. It not only propagates the spread of bots, but also creates a revenue stream for cyber criminals. The IoT is likely the next great cyber battleground, presenting a massive bot force if not secured effectively.

The bottom line is that threat actors aren’t standing still – they are evolving and creating new ways to exploit applications, devices, and networks. It’s not a question of if you’re going to be attacked; rather when were we and when will you be targeted again. But, the most important question is how well prepared are you? To find out how to better prepare your organization against current threats, click here.

Gaming has become serious business, to the extent that the best gamers are earning seven-figure incomes. The average professional gamer (esports) salary is about $60,000 per year. The emergence and growth of a professional gaming industry is a direct function of the popularity of online gaming, which has bred a fiercely competitive environment.

Of course, only a very small percentage of gamers generate any income from their pastime – most play for the fun, but they are no less committed to getting their hours of gameplay in each day. Such a dedicated audience, however, has created another opportunity, one that takes advantage of the massive impact online gaming has had on users: scams and cyberattacks.

A host of fake campaigns are taking aim at the gaming space – particularly those that operate on a freemium model, like the current craze, Fortnite. The scams look to lure gamers into thinking they can use hacks to gain free access to virtual goods or currency, directing them fake game-currency generators to ultimately get them to click on links to ads by making them believe they are accessing a hack. Often, small windows are opened that simulate scripts giving the appearance of an ongoing hack into the Fortnite account. It’s not just Fortnite, of course. Similar tactics have been used for many popular games, from World of Warcraft to Minecraft.

The problem, of course, is that none of this is real and there is no chance of users gaining any new currency or other goods. Many of these scams operate on simple pay per click models, where advertisers are paying site owners (the scammers) for generating traffic. They are annoying, but generally harmless to users unless they have given up their account names and passwords, in which case hackers can take over their accounts and access any credit cards that are linked.

The bigger problem is that similar tactics can just as easily be used to install malicious software on the users’ machines to access financial accounts, corporate servers, or other sites. Suddenly, cyber criminals may have access to your customers’ account because they unsuspectingly clicked on a fake link trying to win a game. Or, your entire corporate network, including proprietary data and customer records may be compromised because an employee tried to get an edge on other games.

Either way, as a business, you have to take steps to protect your customers and employees from themselves. Naturally, you want to provide as much education as possible around cybersecurity and the many threats that exist. But, knowing that you can’t rely on your customers or employees to be as diligent as they should be regarding security, and also that cyber attacks are constantly evolving and becoming more advanced, you have to take measures in your own hands to protect your networks from unauthorized access. Expect that your networks, employees, and customers will all be hit with attacks, and assume that some of them will succeed, and plan your security strategy accordingly. You don’t have to be a gamer or a gaming business, but you should understand that gaming, like any popular online activity, presents an attack vector for cyber criminals to exploit.

To find out more about how to create an effective security strategy, click here.

Data breaches have become commonplace, with reports of new businesses and customer data being compromised regularly. It’s created a world where every customer across the globe is wondering when – not if – their information will end up on the Dark Web, and what the next major breach will be.

One of the latest victims is Singapore’s largest healthcare provider, SingHealth, which acknowledged it suffered a major data breach impacting about a quarter of the country’s population – including Prime Minister Lee Hsien Loong. Abnormal activity on the network was first detected on July 4, which was shortly thereafter confirmed as a cyber attack that began on June 27 and was initiated when thieves gained access to a front-end workstation.

SingHealth has since sent text messages to some 700,000 customers who visited its clinics in the past three years notifying them of the breach and has set up a website for patients to check whether their information was compromised. The hackers gained access to personal information; including names, addresses, birth dates, and identity card numbers. About 160,000 patients also had their outpatient medication data accessed.

Singapore’s Ministry of Communications and Information and Ministry of Health indicated that the hackers specifically targeted the Prime Minister’s information, and Lee commented on Facebook, “Perhaps they were hunting for some dark state secret, or at least something to embarrass me. If so, they would have been disappointed. My medication data is not something I would ordinarily tell people about, but there is nothing alarming in it.”

An investigation is still undergoing but, regardless of motive, this is the latest large-scale attack on the healthcare industry. The UK’s National Health Service was shut down by last year’s WannaCry epidemic, and back in 2015, Anthem, the second largest health insurance provider in the U.S. experienced a breach of about 79 million patients’ personal information.

Whether this signifies a major security crisis in the healthcare sector or not, it certainly shows that the industry is a major target and standards are not enough to thwart attacks. While no medical records were accessed in the SingHealth attack, it’s another case of personal information being stolen and likely ending up for sale to the highest bidder.

Customers, then, are forced to wonder how they can keep their information secure and prevent identity fraud. The answer, unfortunately, is there’s little individuals can do to impact corporate security, especially with cyber criminals constantly using new and enhanced tactics. But, customers can help protect themselves on a personal level by properly managing their passwords and regularly monitoring their own accounts for suspicious activity. In the U.S., the FTC has mandated that each of the three major credit reporting agencies provide one free credit report to each person every 12 months.

On a corporate level, company executives have to make investments in the latest security technologies and experienced personnel, and they must be diligent in continuously monitoring for attacks. No company is too small, nor too large. If you’re serious about your corporate security posture, find out how VoiceVault can help prevent you from becoming the next SingHealth.

Identity theft and fraud cost businesses and their customers billions each year between direct monetary losses and the costs of dealing with ensuing issues. While the terms Identity Theft and Identity Fraud are related, they are not the same, despite often being used interchangeably. There are important distinctions, including how they impact victims.

Identity Theft

Identity theft refers to the actual acquisition of personal data – typically for use in additional criminal activity, including selling that data to other criminals. Data can include social security numbers, credit card or bank account details, driver’s license numbers, passwords, and other personal information and details that can be later used to perpetuate fraud.

Identity thieves can use any number of methods for stealing personal information, ranging from the use of advanced hacking techniques and intricate scams to more basic burglary and dumpster searches. There’s been a high incidence of corporate network hacking over the past few years that has resulted in millions of customers’ information being stolen. Due to the sheer size of customer databases, corporate networks are a high-value target for thieves. In addition, because most people have a large amount of personal information stored on their mobile devices, they also have become a target because they can provide information for many different criminal uses.

Identity Fraud

Identity Fraud is the use of stolen identity data for criminal purposes. Criminals use identity information to make fraudulent purchases, open fake bank or credit card accounts, take out loans – often by using the data to create false identities supported by real data.

The impact of identity fraud extends beyond identity theft victims to the organizations where the information is used, including merchants, financial institutions, credit card companies, and others. In fact, everyone is affected by identity fraud, because organizations build the costs of fraud into their pricing structure, meaning every customer bears part of the burden.

Recovering from identity fraud can be a difficult task, even after it’s been identified and accounts have been closed. Accounts created by thieves can appear on credit reports for a long time, negatively impacting victims’ ability to secure loans for home or vehicle purchases or open new credit accounts.

Protecting Your Information

Individuals should regularly check their credit reports to look for any fraudulent accounts. If anything appears that hasn’t been authorized, contact the company, credit bureau, and authorities immediately to let them know you’re identity may have been compromised. Make sure you don’t leave your mobile devices anywhere, and be cautious about connecting to wireless networks. Also be wary about sharing any details that put your identity and accounts at risk – legitimate organizations won’t typically ask for sensitive information without you having contacted them first. If someone does, don’t hesitate to hang up and contact the institution on your own to verify the activity.

Businesses should make security a top priority and ensure they always have the latest protective measures in place for securing customer information. The latest security techniques, including voice authentication, make it much more difficult for criminals to gain access to customer accounts, even if identity information has been compromised.

School’s out, which means summer vacation season is here. It also means identity thieves are chomping at the bit, knowing the warm weather means an increase in travel and related purchases, which translates into opportunity. While you can’t always prevent your credit card information or other personal data from being stolen, there are several steps you and your customers can take to help ensure identity theft doesn’t turn into identity fraud. It’s one thing to have to replace stolen or compromised credit cards, but it’s an entirely more complicated, time consuming, and costly task to repair credit once fraud has been perpetuated – or if your corporate credentials have led to a more significant security breach.

Let your financial institutions know you’ll be traveling.

Most banks are quick to block transactions that are out of character – which includes point-of-sale transactions in new geographies, unusual purchases or activities, and even just very high transaction amounts. Knowing where and when you are traveling will allow your banks to better protect you during and after your trip.

Use caution when accessing public WiFi

When accessing free public WiFi networks, you are putting yourself at risk. Hackers can easily intercept traffic and gain access your device and accounts. Be aware of fake “free” access that requires you to install software – that should be a red flag. If you are going to use public WiFi, make sure to only use networks that require log-in. While they aren’t foolproof by any means, they do provide an added layer of security over open APs. Do not access your bank accounts initiate transactions unless you know you are on a secure network. It’s hard, but resisting the urge to log onto social media constantly can be the difference between being exposed and not.

Be cautious with ATMs

Scammers are notorious for retrofitting ATM machines with skimming devices that read your card data, allowing thieves to create false cards with your account information and selling it or making purchases themselves. Be aware of anything the looks out of place, and don’t be afraid to jiggle the card reader – if it feels loose or oversized, best to keep away. Also, never give out your PIN or write it on the back of your card.

Don’t overstuff your wallet

Tourists are easy marks – they tend to carry fat wallets with their cash and credit cards. Carry only the cash you need for the day, and there’s no need to bring more than one (maybe two at most) credit cards. If your wallet looks overly full, you’re only inviting pickpockets and scammers who are ready to pray on your vacation habits and walk away with your cash and identity.

Lock screens and Find My iPhone

Common sense suggests you have a lock screen enabled at all times, but many people don’t, simply to save a few seconds. If your phone is stolen, a lock screen can keep your personal information and account data from being stolen. Phone tracking software can help you quickly locate your device if it is stolen or lost.

Complex authentication

Whenever possible, make use of more complex indentify verification methods. While two-factor authentication may seem like hassle, it makes it much harder for your data to be stolen. Similarly, voice authentication may seem like an extraneous step, but it provides a unique identifier that is much harder to breach than other password-driven authentication protocols. Increasingly, financial institutions and other organizations are adoption voice and other biometric authentication methods in an effort to reduce fraud and protect revenue.

To understand how voice authentication can help keep you and your customers safe, read more.

Considered by many as the greatest sporting event in the world, the 2018 World Cup in Russia, may be missing some traditional participants this year, including Italy, Netherlands, Chile, and the United States but, what it won’t be lacking is a host of cyber criminals looking to steal sensitive personal information from unwary participants and the masses of fans who have traveled to watch them compete.

Even though media, government organizations, and soccer organizations have made cyber security concerns a key issue, it’s certain hackers are looking to exploit the fact that hundreds of thousands of fans are looking for connectivity during the 21st edition of the quadrennial event. Given the global presence at the World Cup and high international data rates with most carriers, a large percentage of fans rely on WiFi for connectivity. Even for those with international plans, mobile networks are put to the test and deliver reduced performance, sending even those users looking for WiFi access.

Kaspersky Labs reported it tested the security of more than 32,000 public access points recently in Russia’s 11 host cities – more than 7,000 were not using appropriate encryption or authentication measures. Meaning, while there are many secure WiFi connections, there are many that can be targeted by hackers as easy opportunities to steal personal information from users. All they would need to do is be in the vicinity of those hotspots, wait for unprepared visitors to connect, and easily intercept traffic to collect data.

Fans and participants alike should be aware of the presence of unsecure access points and take extra care to avoid them. Many of them may have SSIDs set up to fool users into believing they are legitimate networks. Some organizations, like England’s FA, have specifically advised players, coaches, and staff not to use public WiFi, even those provided at the team’s hotel. Here are a few tips that can help protect your devices and data while traveling at the World Cup, or anywhere.

Never use open WiFi (those without password protected access).

Consider connecting through a VPN if you are using WiFi. Most public access points aren’t using the latest encryption technology. A VPN will help protect your information even if it is intercepted.

Make sure lock screens and security are active on any devices.

Avoid any online shopping or other financial activity.

Use cash, travelers checks, or gift cards in lieu of credit cards to avoid account information being stolen.

Don’t use, accept or click on links, websites, attachments, or flash drives that could give hackers access to your devices.

While there’s a lot that individual users can do to protect themselves, financial institutions and other vendors should be aware of the likelihood that user information will be stolen, not only at major events, but at any time. They, too, should be prepared by making sure they have appropriate user authentication measures in place. Because PINs, passwords, and knowledge-based responses can all be exposed to hackers, biometric security measures, like voice authentication, can make it much harder for thieves to gain access to accounts or set up fraudulent accounts. With the massive numbers of attack opportunities for cyber criminals, security has to be a priority for everyone – vendors and customers alike – in order to limit risk and losses.

New EU data protection rules are designed to protect customer data through stronger privacy and security requirements. GDPR (General Data Protection Regulation) goes into effect on May 25, 2018, and the second Payment Services Directive (PSD2) is not far off with a September 2019 implementation deadline. The new regulations are intended to ensure better customer information security and privacy while reducing fraud, essentially by giving control over data to its owners – consumers.

GDPR provides new policy around data collection and storage, including a requirement for consent to data collection the right for consumers to request any data collected on them be erased permanently. PSD2 allows customers to approve access to their bank account data by third parties, modernizing the payment structure in line with the growth of e-commerce. It also puts into place stronger user authentication checks for online transactions – at a minimum, two-factor authentication, which can include voice authentication or other biometrics.

This is all good for consumers, in theory, but there are potential drawbacks.

While consumers have generally adapted to an online economy and the need for heightened security has been prominently featured in media headlines thanks to many high-profile breaches, many consumers and businesses don’t take the risk as seriously as they should. Two-factor authentication provides an additional layer of security, but it also adds complexity to completing transactions for consumers, which could lead to a new resistance to online purchasing. That, in turn, could result in vendors opting to not implement additional security features, putting them and their customers at risk.

It’s clear payment structures have to more efficiently accommodate the digital era and the ability to authorize access to account information serves to democratize the payment industry. But, there are risks here as well. By providing access to sensitive account information to more parties, the risk is inherently increased by serving up new attack opportunities for cyber criminals. The burden of account security will be the domain of every online vendor with access to banking details.

Third, fraud identification relies on massive amounts of user data. A reduction of collectable data means merchants and fraud scoring systems will reach conclusions based on fewer data points, making it more difficult to accurately identify fraud. That can lead to increased false flags or missed fraudulent activity. Both are likely to have a negative impact on consumer sentiment. Even worse, cyber criminals are smart and adapt to changing conditions. The new rules could allow identity thieves to request data removal, which would mean those data points could no longer be used in scoring systems and lists of identified fraudulent activity.

There’s no question the intent of both GDPR and PSD2 is to protect customers – and by extension, businesses. But, they have potential flaws that could be exploited by fraudsters. The best way for consumers and merchants alike is to take security seriously and to understand that new identity verification methods, like voice authentication or fingerprint scanning, add a step to the process, but the inconvenience is minor compared to having to deal with identity theft or fraud.

To learn more about how voice authentication can help reduce fraud, visit VoiceVault.

Hackers want your money, and that includes your retirement nest egg. The bottom line is this: If you have a 401(k) account, be careful about who you allow to access it.

If you’re a 401(k) plan provider, or even an employer who offers your workers such a plan, be sure to warn participants about the potential for hacking. You should consult regulations – like the Employee Retirement Income Security Act of 1974 – related to your financial responsibility related to account protection, loss, and replacement. Then you can be sure to communicate the right messages to account holders (and their employers) on how to safeguard 401(k) savings.

For example, 401(k) providers should be alerted that fraudsters are a real threat to these accounts. Studies indicate that foreign hackers are trying to gain access to the $5.3 trillion in U.S. 401(k) assets today.

That said, it makes sense to warn retirement plan holders to avoid granting access to their accounts via email, phone, or text – even when communications appear to be from their employer or the plan administrator. Phishing is a common way frausters masquerade as legitimate organizations to get unsuspecting people to reveal personal information like account numbers and passwords.

Plan administrators and sponsors may also want to suggest that 401(k) account holders use strong passwords, change those passwords often, employ two-factor authentication, and avoid doing financial transactions on unsecured public connections. Voice authentication is another great option for providing a high level of security to 401(k) accounts.

Plan administrators and sponsors may want to configure the plans they offer and the systems they use to support them to only allow 401(k) account changes or withdrawals to occur when a certain set of steps are performed and information provided. Again, voice authentication provides a unique security mechanism that makes hacking very difficult.

When accounts are hacked, people and organizations suffer. If sponsors or third-party administrators are found at fault, they may be responsible for replacing that loss.

On the heels of Kmart and Delta data breaches, Best Buy is one of the latest retailers to confess that customers’ information may have been compromised. Third-party data firm [24]7.ai was affected by a malware hack, generating cause for concern from Best Buy, which uses chatbots for customer service calls and online sales. Where does data security go from here? Best Buy will have to tackle that question as it sorts out the muck caused by the [24]7.ai breach.

Although credit card and other customer information is at risk, the damage done is not as insurmountable for Best Buy as it is for other retailers. While thousands of customers have fallen victim to information hacks in the previous cases, Best Buy remains confident much of their customer base is safe.

Best Buy issued an apology, now in the spotlight of the data privacy epidemic: “We are fully aware that our customers expect their information to be safeguarded and apologize to the extent that did not happen in this case.” A privacy hub website has been set up to address customers’ concerns about protecting their information. But is it too little too late?

Since US legislation may not be stringent enough to regulate privacy practices at major firms like electronics giant, Best Buy, what can you, as a consumer, do to protect your data? A step in the right direction, apart from boycotting businesses, is to regularly update passwords and take stock of who has your credit card information saved in their online database. Companies can take heed by auditing data practices, formalizing procedures for third-party data access, and further solidifying security measures by utilizing voice biometrics as part of a multifactor authentication security solution.

Remember, security is everyone’s problem, and both customers and retails have an obligation to do their part to ensure it.

To learn how VoiceVault can help develop or enhance your corporate security strategy, click here.

As if tax season wasn’t painful enough already, the Internal Revenue Service reports that identity theft related to tax refund frauds continue to plague the American people and the economy at epidemic levels. While the numbers have decreased from highs around 2015, the IRS reports that tens of thousands of taxpayers are still victimized on an annual basis.

While you should be mindful of cybersecurity all year long, now is the time to be particularly vigilant, with Tax Day just around the corner. In an effort to ensure your protection, here are five ways that you can fight back against malicious actors this year.

Update passwords: Between our personal and professional lives, the average individual must keep track of about 25 passwords. With so much to remember, many people will use duplicated or incredibly simple passwords. This makes it easy for hackers to break the code and gain access to your entire network. Set up Tax Day as your annual day to update your passwords to make yourself a more elusive target.

Biometric authentification: Adding extra layers of authentification can also be a great way to protect yourself and your personal financial data. For best results, leverage biometric technology. While hackers can fake a signature, it’s much harder to replicate the unique markings of our fingerprints, voices, faces or eyes.

Encrypt your data: If you’re sending documents over to your tax accountant, don’t do it on the public Wi-Fi at Starbucks. Even if you have firewalls and anti-virus software on your device, you’re only as secure as the network on which you transmit files. Consider using an encrypted messaging service or a virtual private network for such sensitive documents.

Credit reports and SSA statements: Every year, you’re entitled to a free credit report and social security statement. If someone already has gotten hold of your information, you may find it in these reports. Maybe you’ll see a strange new card added to your credit report. Maybe you’ll see your personal information with someone else’s earnings reported on the SS statement. Check these out annually and you’ll catch fraud that has already occurred before your financial reputation is irrevocably destroyed.

Always have backup: What do you do if you’re targeted with ransomware and lose access to your tax documents or other financial records? If you don’t have back-up, you only have two options: pay up, or lose the information forever. Colocate vital data off-site in the cloud or a private server for starters. And of course, while less modern, it doesn’t hurt to have paper copies either.

There are fewer ways to destroy your finances more quickly than handing over your data to a thief. To learn more ways to protect your identity, click here.